ACAS X safety analysis in the current RTCA environment

摘要

The typical process for developing a safety analysis within the current RTCA environment is in the form of an Operational Safety Assessment (OSA) as specified in RTCA DO-264 [1]. This assessment is typically performed at a high level and is usually a qualitative analysis resulting in qualitative safety requirements. This OSA is often included in a Safety and Performance Requirements Document (SPR). The manufacturer of an avionics system would apply the requirements allocated to the aircraft systems to the product as part of the design. The next step in the safety process would be to perform a Functional Hazard Analysis (FHA) using the hazards for the system that can be caused by the avionics and perform a fault tree (FT) analysis on those hazards, identifying causes of the hazards related to the avionics system functions and showing that those causes lead to a top level hazard that meets the safety objective assigned to the hazard. This safety objective is stated in the SPR. The manufacturer would then take the requirements from the SPR and design the system architecture. TCAS II has a different history than what is stated above. TCAS II requirements are defined in the form of a MOPS document [2]. Safety analyses were performed on each version of TCAS II as it progressed. However, the safety studies were not part of the MOPS and were not readily archived for industry use. ACAS X is being designed as an improvement to TCAS II in the current RTCA environment. ACAS X is being defined by a MOPS document not an SPR. Due to the highly prescriptive nature of the ACAS X MOPS, like TCAS II, RTCA SC-147 should produce some of the documentation that would normally be produced by the manufacturers. The following proposal is an effective way to address the safety requirements of the current environment given the history of TCAS II. The following approach is proposed for the ACAS X safety analysis. Perform two related safety analyses for ACAS X: 1) a high level qualitative OSA i- the spirit of DO-264 [1] (or FHA defined by ARP 4761 [3]) which includes the elements of an OSED, OHA, and ASOR and 2) a safety gap analysis that defines safety concerns in ACAS X, describes what was performed in the TCAS II safety studies [4-10] and how this is applicable to ACAS X, and finally what work remains to be done to complete the ACAS X safety analysis. The OSA/FHA would result in hazards with qualitative safety objectives and qualitative safety requirements. The safety gap analysis would result in a collection of analyses, simulations, tests etc. to cover all of the safety concerns of the new system. This approach should satisfy the requirements of all the stakeholders involved in the implementation of ACAS X. It is recommended that these two safety analyses be included in the MOPS for ACAS X as Appendices.